Long-simmering tensions over Ireland’s regulation of Big Tech have burst out into public after German officials attacked the Irish Data Protection Commission for failing to enforce GDPR.
Because Google, Facebook, Microsoft and Twitter have their EU headquarters in Dublin, Ireland has responsibility for ensuring their compliance with GDPR, the privacy rules that came into force in May 2018.
But since then, the Irish regulator has been heavily criticised for its lack of teeth, having issued only one fine of €450,000 against Twitter in December 2020.
On Wednesday, Ulrich Kelber, Germany’s chief data protection watchdog, wrote to members of the European Parliament to complain that Germany alone had “sent more than 50 complaints about WhatsApp” to the Irish authorities, “none of which had been closed to date”.
He also criticised Ireland’s “extremely slow case handling, which falls significantly behind the case handling progress of most EU and especially German supervisors”. He noted that by the end of last year, Ireland was leading 196 cases, but had concluded only four, while Germany had closed 52 out of 176 cases.
Kelber was responding to a letter from Helen Dixon, his Irish counterpart, defending her country’s record to the European Parliament ahead of a resolution that named and shamed Ireland and Luxembourg, where Amazon has its EU headquarters, for their weak enforcement record.
The European Parliament’s civil liberties committee voted this week to single out Ireland for its apparent “inaction . . . to address the lack of resources of the data protection authorities”.
Ahead of the vote, Dixon wrote that on the matter of sanctions the German’s privacy watchdog had been overruled by the courts in fines it had handed out. “None of this is intended as criticism of the approaches adopted by German supervisory authorities to issues around sanction. It does, however, illustrate that challenges are being experienced by all [privacy watchdogs] in their dealings with a new legal framework,” she wrote.
Her comments seemed to have irritated her German colleagues. Kelber accused Dixon of making statements that “reflect her personal views in a very one-sided manner” and “leave her isolated in the circle of European data protection supervisory authorities”.
In her letter Dixon also said that apart from the Irish authority no other country had taken action to address the changes after a US-EU data sharing agreement was struck down by Europe’s highest court last year.
“This statement by Ms Dixon is simply wrong,” Kelber wrote, explaining how the German authority took swift action shortly after the ruling and continues to actively engage with businesses over its ramifications.
This is not the first time the Irish privacy watchdog has been criticised for not taking sufficient action against Big Tech. France, Spain, Italy and others have also voiced concerns.
Against this backdrop, France has aggressively lobbied for every member state to have the right to enforce privacy rules ahead of a major overhaul of the tech rules for the bloc.
The Irish and German privacy watchdogs did not immediately reply to requests for comment.